The number at the end has to match the mark configured for the connection. The IPs are the endpoints of the IPsec tunnel. But note that the ip command treats names starting with vti special in some instances (e.g. It's important to note that VTI tunnel devices are a local feature, no additional encapsulation (like with GRE, see below) is added, so the other end does not have to be aware that VTI devices are used in addition to regular IPsec policies.Ī VTI device may be created with the following command: Whenever a packet is routed to a VTI device it automatically gets the configured mark applied so it will match the policy and get tunneled. For other packets the policies are ignored. Only packets that are marked accordingly will match the policies and get tunneled. To make this work, that is, to prevent packets not routed via VTI device from matching the policies (if 0.0.0.0/0 is used every packet would match) marks are used.
However, you can negotiate 0.0.0.0/0 traffic selectors on both ends to allow tunneling anything that's routed via VTI device. This means you can't just route arbitrary packets to a VTI device to get them tunneled, the established IPsec policies have to match too. VTI devices act like a wrapper around existing IPsec policies. Note: On newer kernels (4.19+), XFRM interfaces provide a better solution than VTI devices, see below for details. The information below might not be accurate for older kernel versions. VTI Devices on Linux ¶ĭisclaimer: VTI devices are supported since the Linux 3.6 kernel, but some important changes were added later (3.15+). Another advantage this approach could have is that the MTU can be specified for the tunneling devices allowing to fragment packets before tunneling them in case PMTUD does not work properly. Most of these approaches also allow easy capture of plaintext traffic, which, depending on the operating system, might not be that straight-forward with policy-based VPNs (see CorrectTrafficDump). be controlled by routing packets to a specific interface.
Here IPsec processing does not (only) depend on negotiated policies but may e.g. Refer to IPsecDocumentation for details.ĭepending on the operating system it is also possible to configure route-based VPNs. After regular route lookups are done, the OS kernel consults its SPD for a matching policy and if one is found that is associated with an IPsec SA, the packet is processed (e.g. Generally IPsec processing is based on policies.